Skip to content
This repository was archived by the owner on Dec 1, 2017. It is now read-only.

Commit b18012d

Browse files
author
erouault
committed
* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (bugzilla #2508)
1 parent aaab5c3 commit b18012d

File tree

2 files changed

+14
-2
lines changed

2 files changed

+14
-2
lines changed

Diff for: ChangeLog

+6
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,9 @@
1+
2015-12-27 Even Rouault <even.rouault at spatialys.com>
2+
3+
* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
4+
triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
5+
(bugzilla #2508)
6+
17
2015-12-27 Even Rouault <even.rouault at spatialys.com>
28

39
* libtiff/tif_luv.c: fix potential out-of-bound writes in decode

Diff for: libtiff/tif_next.c

+8-2
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@
3737
case 0: op[0] = (unsigned char) ((v) << 6); break; \
3838
case 1: op[0] |= (v) << 4; break; \
3939
case 2: op[0] |= (v) << 2; break; \
40-
case 3: *op++ |= (v); break; \
40+
case 3: *op++ |= (v); op_offset++; break; \
4141
} \
4242
}
4343

@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
106106
uint32 imagewidth = tif->tif_dir.td_imagewidth;
107107
if( isTiled(tif) )
108108
imagewidth = tif->tif_dir.td_tilewidth;
109+
tmsize_t op_offset = 0;
109110

110111
/*
111112
* The scanline is composed of a sequence of constant
@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
122123
* bounds, potentially resulting in a security
123124
* issue.
124125
*/
125-
while (n-- > 0 && npixels < imagewidth)
126+
while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
126127
SETPIXEL(op, grey);
127128
if (npixels >= imagewidth)
128129
break;
130+
if (op_offset >= scanline ) {
131+
TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
132+
(long) tif->tif_row);
133+
return (0);
134+
}
129135
if (cc == 0)
130136
goto bad;
131137
n = *bp++, cc--;

0 commit comments

Comments
 (0)